More than 21 million login credentials have been stolen by hackers from Fortune 500 companies and have been put up for sale on Dark Web marketplaces, new research has revealed.
Fortune 500 companies are believed to be the organisations that have the highest available financial resources to invest in cyber security to keep corporate data and data belonging to millions, perhaps billions of their customers secure from unauthorised access and misuse.
However, a new study carried out by ImmuniWeb has found that hackers have plundered over 21 million login credentials from Fortune 500 companies and over 16 million of them were stolen and posted on Dark Web platforms in the past twelve months.
What poses a big question mark on Fortune 500 firms' ability to secure their login credentials is that 95 percent of the 21 million stolen credentials contained "unencrypted, or brute-forced and cracked by the attackers, plaintext passwords".
Use of weak and default passwords is still widespread
The study also revealed that only 4.9 million of the 21 million stolen credentials were unique, indicating that the widespread practice of employees using identical or similar passwords is still in place at the world's largest organisations.
All these stolen login credentials belonging to Fortune 500 companies were found pasted on resources within the TOR network, across various web forums, Pastebin, IRC channels, social networks, messenger chats and many other locations notorious for offering, selling or distributing stolen or leaked data," ImmuniWeb said.
While hackers stole around 5 million login credentials each from organisations in technology and financial sectors, they whisked nearly 2 million credentials each from healthcare and industrial organisations, and over 1 million credentials each from energy and telecommunications firms.
Millions of valid login credentials were also stolen from organisations in retail, transportation, motor vehicles, and aerospace and defence sectors. These statistics are not very surprising considering that 47.29% of passwords used by retail organisations, 37.5% by telecommunications firms, 36.19% by industrial organisations, 35.12% by financial firms, and 33.87% by technology firms are either weak or default passwords.
ImmuniWeb also found that around 42% of stolen passwords are somehow related either to the victim’s company name or to the breached resource in question, making password brute-forcing attacks highly efficient, and that 11% of the stolen passwords from one breach are identical pointing out to usage of default passwords, proliferation of [spam & data scraping] bots creating accounts, or a previous password reset setting an identical password to a large set of accounts.
"These numbers are both frustrating and alarming. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive zero-day or time-consuming APTs. With some persistence, they easily break-in being unnoticed by security systems and grab what they want. Worse, many such intrusions are technically uninvestigable due to lack of logs or control over the breached [third-party] systems," said Ilia Kolochenko, CEO and Founder of ImmuniWeb.
"In the era of cloud, containers and continuous outsourcing of critical business processes, most organizations have lost visibility and thus control over their digital assets and data. You cannot protect what you don’t see, likewise you cannot safeguard the data if you don’t know where it’s being stored and who can access it. Third-party risks immensely exacerbate the situation by adding even more perilous unknowns into the game.
"A well-thought, coherent and holistic cyber security and risk management programme should encompass not just your organisation but third parties in a continuous and data-driven manner," he added.
Commenting on ImmuniWeb's findings, Stuart Sharp, VP of solution engineering at OneLogin, said that the scariest takeaway from this discovery is that many companies will never know their cloud services have been compromised. It’s only when secret information comes to light in a public domain, or attackers attempt invoice payment redirection that the account compromise becomes obvious.
"Unless MFA is in place, once login credentials are compromised, attackers can access highly sensitive company information. Organisations need to constantly audit cloud services and control access and protect authentication and authorisation using a combination of Privileged Access Management and MFA," he added.
Hackers are mainly interested in hacking into networks owned by Fortune 500 companies
The large-scale theft of login credentials belonging to Fortune 500 companies could be attributed to the fact that considering how much data, money, and intellectual property these organisations hold and own, hackers dedicate a disproportionate amount of time to breach them or to swindle them through phishing attacks.
Earlier this year, research conducted by Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey and underwritten by security research firm Bromium found that custom-built and specialised malware created specifically to target FTSE 100 and Fortune 500 companies outnumbered off-the-shelf hacking tools and malware by around two to one, indicating that hackers are more willing to buy specialised tools to target the largest organisations rather than using cheaper hacking tools to target smaller firms.
The study found that Dark Web marketplaces are offering access to networks owned by a large number of FTSE 100 and Fortune 500 companies, 29 percent of which are banking and finance companies, 24 percent are healthcare firms, 16 percent are e-commerce firms, and 12 percent are organisations in the education sector. The tools on offer are either stolen remote access credentials, backdoor access software, Remote Access Trojans, or keyloggers.
"The dark net has become a veritable candy store for anyone looking to steal IP and corporate data or disrupt business operations. A world once dominated by off-the-shelf malware has been replaced by a service-driven, on-demand economy. Savvy dark net vendors have responded to increased demand for business access and targeting, offering bespoke malware, access to corporate networks, and targeted corporate espionage services," says Gregory Webb, CEO of Bromium.